In June 2012, Cloudflare partnered with various web hosts, including HostPapa, to implement its "Railgun" technology.[8][9]

In February 2014, Cloudflare mitigated the largest-ever recorded DDoS attack at that time, which peaked at 400 Gbit/s against an undisclosed customer.[10] In November 2014, Cloudflare reported another massive DDoS attack with independent media sites being targeted at 500 Gbit/s.[11]

In February 2014, it acquired StopTheHacker, which offers malware detection, automatic malware removal, and reputation and blacklist monitoring.[19][20] In December 2016, Cloudflare acquired Eager, with the view of upgrading Cloudflare's Apps platform to allow for drag-and-drop of installation of third-party apps onto Cloudflare-enabled sites.[21]

For all customers Cloudflare offers an "I'm Under Attack Mode" setting. Cloudflare claims this can mitigate advanced Layer 7 attacks by presenting a JavaScript computational challenge which must be completed by a user's browser before the user can access a website.[22]

Cloudflare defended SpamHaus from a DDoS attack that exceeded 300 Gbit/s. Akamai's chief architect stated that at the time it was "the largest publicly announced DDoS attack in the history of the Internet".[23][24] Cloudflare have also reportedly absorbed attacks that have peaked over 400Gbit/s from an NTP Reflection attack.[25]

Cloudflare allows customers on paid plans to utilize a web application firewall service, by default; the firewall has the OWASPModSecurity Core Rule Set alongside Cloudflare's own ruleset and rulesets for popular web applications.[26]

Cloudflare offers free authoritativeDomain Name System (DNS) service for all clients which are powered by an anycast network.[27] According to W3Cook Cloudflare's DNS service currently powers over 35% of managed DNS domains.[28] SolveDNS have found Cloudflare to consistently have one of the fastest DNS lookup speeds worldwide, with a reported lookup speed of 8.66ms in April 2016.[29]

Cloudflare's network has the highest number of connections to Internet exchange points of any network worldwide.[33] Cloudflare caches content to its edge locations to act as a content delivery network (CDN), all requests are then reverse proxied through Cloudflare with cached content served directly from Cloudflare.

In 2014, Cloudflare introduced Project Galileo in response to cyber attacks launched against important, yet vulnerable targets, such as artistic groups, humanitarian organizations, and the voices of political dissent. Working with free speech, public interest, and civil society organizations, Cloudflare then extends its Enterprise-class DDoS protection and business-level performance benefits to ensure these websites stay online, protecting their voice from being silenced.

Cloudflare has been vocal of their values, with CEO Matthew Prince stating:

"One of the greatest strengths of the United States is a belief that speech, particularly political speech, is sacred. A website, of course, is nothing but speech...A website is speech. It is not a bomb. There is no imminent danger it creates and no provider has an affirmative obligation to monitor and make determinations about the theoretically harmful nature of speech a site may contain."[34]

Cloudflare publishes a Transparency Report on a semiannual basis to show how often law enforcement agencies request data about its clients.[35]

The hacker group UGNazi attacked Cloudflare partially via flaws in Google's authentication systems in June 2012, gaining administrative access to Cloudflare and using it to deface4chan.[51][52] Cloudflare published in full the details of the hack. Following this, Google publicly announced they had patched the flaw in the Google Enterprise App account recovery process which allowed the hackers to bypass two-step verification.[53] Later the leader of the hacking group, Cosmo, was arrested and sentenced in California.[54]

From September 2016 until February 2017, a major CloudFlare bug (nicknamed Cloudbleed) leaked sensitive data—including passwords and authentication tokens from customer websites, by sending extra data in response to web requests.[55]
The leaks resulted from a buffer overflow, which occurred, according to analysis by CloudFlare, on approximately 1 in every 3,300,000 HTTP requests.[56][57]

In May 2017 ProPublica reported that Cloudflare as a matter of policy relays the names and email addresses of persons complaining about hate sites to the sites in question, which has led to the complainants being harassed. Cloudflare’s general counsel defended the company's policies by saying it is “base constitutional law that people can face their accusers.”[58] In response Cloudflare updated their abuse reporting process to provide greater control of who to notify for the complaining party.[59]

In September 2017, free-speech advocates criticized Cloudflare for dropping the American neo-Nazi website The Daily Stormer as a customer, which made it difficult for The Daily Stormer to stay online. "Denying security service to one Nazi website seems fine now, but what if Cloudflare started suspending service for a political candidate that its chief executive didn’t like?" wrote Yale Law School doctoral candidate Kate Klonick in a New York Times article entitled "The Terrifying Power of Internet Censors", noting "the scarcity of competitors".[60]

Two of Islamic State of Iraq and the Levant's top three online chat forums are guarded by Cloudflare but U.S. law enforcement has not asked them to discontinue the service, and they have not chosen to do so themselves.[65]

An October 2015 report found that Cloudflare provisioned 40% of SSL certificates used by phishing sites with deceptive domain names resembling those of banks and payment processors.[66]

In November 2015, Anonymous discouraged the use of Cloudflare's services, following the ISIL attacks in Paris and the renewed accusation that it provides help to terrorists.[67] Cloudflare responded by calling their accusers "15-year-old kids in Guy Fawkes masks" and saying that whenever such concerns are raised they consult actual anti-terrorism experts and abide by the law.[68]

Cloudflare is listed on Spamhaus for providing spam support services (pink contract). The current list of Spamhaus listings changes on a near daily basis as reported issues are addressed with the responsible website owner.[69]